[release/5.0.1xx] Enable post build signing (#8764)

* Enable post build signing Enables post build signing of installer by including the items that need to be signed post build in an ItemsToSignPostBuild item group and moving the file signing information into the Signing.props files. Changes to in-build signing have been verified by taking a drop with the current in-build structure and comparing the the signatures and strong name keys between files in equivalent builds. * Enable post build signing Enables post build signing of installer by including the items that need to be signed post build in an ItemsToSignPostBuild item group and moving the file signing information into the Signing.props files. Changes to in-build signing have been verified by taking a drop with the current in-build structure and comparing the the signatures and strong name keys between files in equivalent builds. Co-authored-by: dotnet-bot <dotnet-bot@dotnetfoundation.org> Co-authored-by: Christopher Costa <chcosta@microsoft.com>
2020-10-14 14:55:38 -07:00 · 2020-10-14 14:55:38 -07:00 · e8dddcc611
commit e8dddcc611
parent 6f9d636715
4 changed files with 110 additions and 143 deletions
--- a/eng/Publishing.props
+++ b/eng/Publishing.props
@ -8,7 +8,6 @@
  <PropertyGroup>
    <Product>Sdk</Product>
    <BlobStoragePartialRelativePath>$(Product)</BlobStoragePartialRelativePath>
-    <BlobStoragePartialRelativePath Condition="'$(IsNotOrchestratedPublish)' == 'false'">assets/$(Product)</BlobStoragePartialRelativePath>
    <ChecksumsFeedUrl>$(DotnetPublishChecksumsBlobFeedUrl)</ChecksumsFeedUrl>
    <SdkAssetsFeedUrl>$(DotnetPublishSdkAssetsBlobFeedUrl)</SdkAssetsFeedUrl>

@ -56,10 +55,8 @@
      <BaseAssetManifestFileName>$(AssetManifestOS)</BaseAssetManifestFileName>
      <BaseAssetManifestFileName Condition="'$(AGENT_JOBNAME)' == '' and '$(Architecture)' != ''">$(AssetManifestOS)-$(Architecture)</BaseAssetManifestFileName>
      <InstallersAssetManifestFileName>$(BaseAssetManifestFileName)-installers</InstallersAssetManifestFileName>
-      <ChecksumsAssetManifestFileName>$(BaseAssetManifestFileName)-checksums</ChecksumsAssetManifestFileName>
      <!-- Property AssetManifestFilePath would be reassigned by the Arcade SDK, so use a different name (InstallersAssetManifestFilePath) -->
      <InstallersAssetManifestFilePath>$(ArtifactsLogDir)AssetManifest\$(InstallersAssetManifestFileName).xml</InstallersAssetManifestFilePath>
-      <ChecksumsAssetManifestFilePath>$(ArtifactsLogDir)AssetManifest\$(ChecksumsAssetManifestFileName).xml</ChecksumsAssetManifestFilePath>

      <DotnetTempWorkingDirectory>$(ArtifactsDir)..\DotnetAssetsTmpDir\$([System.Guid]::NewGuid())</DotnetTempWorkingDirectory>
      <ChecksumTempWorkingDirectory>$(ArtifactsDir)..\ChecksumAssetsTmpDir\$([System.Guid]::NewGuid())</ChecksumTempWorkingDirectory>
@ -119,26 +116,29 @@
      </ChecksumsToPushToBlobFeed>
    </ItemGroup>

+    <PropertyGroup>
+      <IsStableBuild>false</IsStableBuild>
+      <IsStableBuild Condition="'$(DotNetFinalVersionKind)' == 'release'">true</IsStableBuild>
+    </PropertyGroup>
+
    <PushToAzureDevOpsArtifacts
-      ItemsToPush="@(SdkAssetsToPushToBlobFeed)"
+      AzureDevOpsCollectionUri="$(SYSTEM_TEAMFOUNDATIONCOLLECTIONURI)"
+      AzureDevOpsProject="$(SYSTEM_TEAMPROJECT)"
+      AzureDevOpsBuildId="$(BUILD_BUILDID)"
+      ItemsToPush="@(SdkAssetsToPushToBlobFeed);@(ChecksumsToPushToBlobFeed)"
+      ItemsToSign="@(ItemsToSignPostBuild)"
+      CertificatesSignInfo="@(CertificatesSignInfo)"
+      StrongNameSignInfo="@(StrongNameSignInfo)"
+      FileSignInfo="@(FileSignInfo)"
+      FileExtensionSignInfo="@(FileExtensionSignInfo)"
      ManifestBuildData="@(ManifestBuildData)"
-      ManifestRepoUri="$(BUILD_REPOSITORY_NAME)"
+      ManifestRepoName="$(BUILD_REPOSITORY_NAME)"
      ManifestBranch="$(BUILD_SOURCEBRANCH)"
      ManifestBuildId="$(BUILD_BUILDNUMBER)"
      ManifestCommit="$(BUILD_SOURCEVERSION)"
      AssetManifestPath="$(InstallersAssetManifestFilePath)"
      PublishFlatContainer="true"
-      PublishingVersion="3"/>
-
-    <PushToAzureDevOpsArtifacts
-      ItemsToPush="@(ChecksumsToPushToBlobFeed)"
-      ManifestBuildData="@(ManifestBuildData)"
-      ManifestRepoUri="$(BUILD_REPOSITORY_NAME)"
-      ManifestBranch="$(BUILD_SOURCEBRANCH)"
-      ManifestBuildId="$(BUILD_BUILDNUMBER)"
-      ManifestCommit="$(BUILD_SOURCEVERSION)"
-      AssetManifestPath="$(ChecksumsAssetManifestFilePath)"
-      PublishFlatContainer="true" 
-      PublishingVersion="3"/>
+      IsStableBuild="$(IsStableBuild)"
+      PublishingVersion="3" />
  </Target>
 </Project>
--- a/eng/Signing.props
+++ b/eng/Signing.props
@ -1,16 +1,56 @@
 <Project>

  <ItemGroup>
-    <!-- Do not sign non-shipping packages -->
+    <!-- Do not sign non-shipping packages when doing in-build signing -->
    <ItemsToSign Remove="$(ArtifactsNonShippingPackagesDir)**\*.nupkg" />
  </ItemGroup>

+  <ItemGroup Condition="'$(PostBuildSign)' == 'true'">
+    <ItemsToSignPostBuild Include="$(ArtifactsShippingPackagesDir)*.zip" />
+    <ItemsToSignPostBuild Include="$(ArtifactsShippingPackagesDir)*.exe" />
+    <ItemsToSignPostBuild Include="$(ArtifactsShippingPackagesDir)*.msi" />
+    <ItemsToSignPostBuild Include="$(ArtifactsShippingPackagesDir)*.nupkg" />
+    <ItemsToSignPostBuild Include="$(ArtifactsNonShippingPackagesDir)*.msi" />
+    <ItemsToSignPostBuild Include="$(ArtifactsNonShippingPackagesDir)*.zip" />
+    <ItemsToSignPostBuild Include="$(ArtifactsNonShippingPackagesDir)*.nupkg" />
+  </ItemGroup>
+
  <PropertyGroup>
+    <ExternalCertificateId Condition="'$(ExternalCertificateId)' == ''">3PartySHA2</ExternalCertificateId>
+    <InternalCertificateId Condition="'$(InternalCertificateId)' == ''">Microsoft400</InternalCertificateId>
+
    <!--
      Signing of shipping artifacts (layout, msi, bundle) are handled separately.
-      It is therefore expected that above removal can yield an empty set.
+      It is therefore expected that <ItemsToSign> could be an empty set.
    -->
    <AllowEmptySignList>true</AllowEmptySignList>
  </PropertyGroup>

+  <ItemGroup>
+    <FileSignInfo Include="Newtonsoft.Json.dll" CertificateName="$(ExternalCertificateId)" />
+    <FileSignInfo Include="MessagePack.Annotations.dll" CertificateName="$(ExternalCertificateId)" />
+    <FileSignInfo Include="MessagePack.dll" CertificateName="$(ExternalCertificateId)" />
+    <FileSignInfo Include="Nerdbank.Streams.dll" CertificateName="$(ExternalCertificateId)" />
+    <FileSignInfo Include="StreamJsonRpc.dll" CertificateName="$(ExternalCertificateId)" />
+
+    <!-- Files in the layout that should not be signed -->
+    <FileSignInfo Include="apphost.exe" CertificateName="None" />
+
+    <!-- These are 3rd party nupkgs and should not be signed with an MS cert -->
+    <FileSignInfo Include="nunit3.dotnetnew.template.$(NUnit3Templates21PackageVersion).nupkg" CertificateName="None" />
+    <FileSignInfo Include="nunit3.dotnetnew.template.$(NUnit3Templates30PackageVersion).nupkg" CertificateName="None" />
+    <FileSignInfo Include="nunit3.dotnetnew.template.$(NUnit3Templates31PackageVersion).nupkg" CertificateName="None" />
+    <FileSignInfo Include="nunit3.dotnetnew.template.$(NUnit3Templates50PackageVersion).nupkg" CertificateName="None" />
+
+    <FileExtensionSignInfo Include=".msi" CertificateName="$(InternalCertificateId)" />
+    <!-- .ttf and .js files come in from some older aspnetcore packages (e.g. 2.1).
+          These files in the 5.0 packages are NOT signed. When doing postbuild signing,
+          SignTool will recognize that the files in the installer zips came from the 5.0 packages
+          pulled in from aspnetcore, and aspnetcore said not to sign them. This info is not
+          available for the 2.1 packages, so we need to avoid signing these in this repo. -->
+    <FileExtensionSignInfo Include=".ttf" CertificateName="None" />
+    <FileExtensionSignInfo Remove=".js" />
+    <FileExtensionSignInfo Include=".js" CertificateName="None" />
+  </ItemGroup>
+
 </Project>
--- a/eng/dockerrun.sh
+++ b/eng/dockerrun.sh
@ -166,6 +166,7 @@ docker run $INTERACTIVE -t --rm --sig-proxy=true \
    -e BUILD_BUILDID \
    -e BUILD_SOURCEVERSION \
    -e SYSTEM_TEAMPROJECT \
+    -e POSTBUILDSIGN \
    -e SYSTEM_DEFINITIONID \
    -e SYSTEM_TEAMFOUNDATIONCOLLECTIONURI \
    -e DOTNETCLIMSRC_READ_SAS_TOKEN \
--- a/src/redist/targets/Signing.targets
+++ b/src/redist/targets/Signing.targets
@ -3,54 +3,13 @@
     <PackageReference Include="Microsoft.DotNet.SignTool" Version="$(MicrosoftDotNetSignToolVersion)" PrivateAssets="All"  />
  </ItemGroup>

+  <!-- Import Arcade's Sign.props, when then imports the eng/Signing.props for this repo -->
+  <Import Project="../tools/Sign.props" Sdk="Microsoft.DotNet.Arcade.Sdk" />
+    
  <Target Name="SetSignProps"
          Condition="'$(SignCoreSdk)' == 'true'">

    <MakeDir Directories="$(ArtifactsTmpDir)" Condition="!Exists('$(ArtifactsTmpDir)')" />
-    
-    <PropertyGroup>
-      <ExternalCertificateId Condition="'$(ExternalCertificateId)' == ''">3PartySHA2</ExternalCertificateId>
-      <InternalCertificateId Condition="'$(InternalCertificateId)' == ''">Microsoft400</InternalCertificateId>
-      <NugetCertificateId Condition="'$(NugetCertificateId)' == ''">NuGet</NugetCertificateId>
-    </PropertyGroup>
-
-
-    <!-- Logic copied from https://github.com/dotnet/arcade/blob/master/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj -->
-
-    <ItemGroup>
-      <!--
-      This is intended to hold information about the certificates used for signing.
-      For now the only information required is whether or not the certificate can be
-      used for signing already signed files - DualSigningAllowed==true.
-    -->
-      <CertificatesSignInfo Include="3PartyDual" DualSigningAllowed="true" />
-      <CertificatesSignInfo Include="3PartySHA2" DualSigningAllowed="true" />
-
-      <!-- List of container files that will be opened and checked for files that need to be signed. -->
-      <!--<ItemsToSign Include="$(ArtifactsPackagesDir)**\*.nupkg" />
-      <ItemsToSign Include="$(VisualStudioSetupOutputPath)**\*.vsix" />-->
-
-      <!--
-      Map of file extensions to default certificate name. Files with these extensions are
-      signed with the specified certificate. Particularly useful for files that don't have
-      a public key token.
-      The certificate can be overriden using the StrongNameSignInfo or the FileSignInfo item group.
-    -->
-      <FileExtensionSignInfo Include=".jar" CertificateName="MicrosoftJAR" />
-      <FileExtensionSignInfo Include=".js;.ps1;.psd1;.psm1;.psc1;.py" CertificateName="Microsoft400" />
-      <FileExtensionSignInfo Include=".dll;.exe" CertificateName="Microsoft400" />
-      <FileExtensionSignInfo Include=".nupkg" CertificateName="NuGet" />
-      <FileExtensionSignInfo Include=".vsix" CertificateName="VsixSHA2" />
-      <FileExtensionSignInfo Include=".zip" CertificateName="None" />
-    </ItemGroup>
-
-    <PropertyGroup>
-      <!-- Control whether an empty ItemsToSign item group is allowed when calling SignToolTask. -->
-      <AllowEmptySignList>false</AllowEmptySignList>
-    </PropertyGroup>
-
-    <!-- Allow repository to customize signing configuration -->
-    <!--<Import Project="$(RepositoryEngineeringDir)Signing.props" Condition="Exists('$(RepositoryEngineeringDir)Signing.props')" />-->

    <!-- Logic copied from https://github.com/dotnet/arcade/blob/master/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj -->
    <Error Text="The value of DotNetSignType is invalid: '$(DotNetSignType)'"
@ -81,53 +40,41 @@
  </Target>
  
  <Target Name="SignLayout"
-          Condition="'$(SignCoreSdk)' == 'true'"
+          Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
          DependsOnTargets="SetSignProps">

    <ItemGroup>
-      <!-- External files -->
-      <LayoutFilesToSign Include="$(SdkOutputDirectory)**/Newtonsoft.Json.dll;
-                            $(SdkOutputDirectory)**/MessagePack.Annotations.dll;
-                            $(SdkOutputDirectory)**/MessagePack.dll;
-                            $(SdkOutputDirectory)**/Nerdbank.Streams.dll;
-                            $(SdkOutputDirectory)**/StreamJsonRpc.dll">
-        <CertificateName>$(ExternalCertificateId)</CertificateName>
-      </LayoutFilesToSign>
-      <!-- Built binaries -->
      <LayoutFilesToSign Include="$(SdkOutputDirectory)**/csc.exe;
-                            $(SdkOutputDirectory)**/csc.dll;
-                            $(SdkOutputDirectory)**/VBCSCompiler.dll;
-                            $(SdkOutputDirectory)**/vbc.exe;
-                            $(SdkOutputDirectory)**/vbc.dll;
-                            $(SdkOutputDirectory)**/fsc.exe;
-                            $(SdkOutputDirectory)**/fsi.exe;
-                            $(SdkOutputDirectory)**/FSharp.*.dll;
-                            $(SdkOutputDirectory)**/Interactive.DependencyManager.dll;
-                            $(SdkOutputDirectory)**/dotnet.dll;
-                            $(SdkOutputDirectory)**/dotnet.resources.dll;
-                            $(SdkOutputDirectory)**/System.*.dll;
-                            $(SdkOutputDirectory)**/Microsoft.*.dll;
-                            $(SdkOutputDirectory)**/NuGet*.dll;
-                            $(SdkOutputDirectory)**/datacollector.dll;
-                            $(SdkOutputDirectory)**/datacollector.exe;
-                            $(SdkOutputDirectory)**/MSBuild.dll;
-                            $(SdkOutputDirectory)**/MSBuild.resources.dll;
-                            $(SdkOutputDirectory)**/PresentationBuildTasks.dll;
-                            $(SdkOutputDirectory)**/redist.dll;
-                            $(SdkOutputDirectory)**/rzc.dll;
-                            $(SdkOutputDirectory)**/testhost.dll;
-                            $(SdkOutputDirectory)**/testhost.exe;
-                            $(SdkOutputDirectory)**/testhost.x86.exe;
-                            $(SdkOutputDirectory)**/vstest.console.dll;
-                            $(SdkOutputDirectory)**/vstest.console.resources.dll">
-        <CertificateName>$(InternalCertificateId)</CertificateName>
-      </LayoutFilesToSign>
-
-      
-      <LayoutFileSignInfo Include="@(LayoutFilesToSign->'%(Filename)%(Extension)')">
-        <CertificateName>%(CertificateName)</CertificateName>
-      </LayoutFileSignInfo>
-      <DistinctLayoutFileSignInfo Include="@(LayoutFileSignInfo->Distinct())" />
+                                  $(SdkOutputDirectory)**/csc.dll;
+                                  $(SdkOutputDirectory)**/VBCSCompiler.dll;
+                                  $(SdkOutputDirectory)**/vbc.exe;
+                                  $(SdkOutputDirectory)**/vbc.dll;
+                                  $(SdkOutputDirectory)**/fsc.exe;
+                                  $(SdkOutputDirectory)**/fsi.exe;
+                                  $(SdkOutputDirectory)**/FSharp.*.dll;
+                                  $(SdkOutputDirectory)**/Interactive.DependencyManager.dll;
+                                  $(SdkOutputDirectory)**/dotnet.dll;
+                                  $(SdkOutputDirectory)**/dotnet.resources.dll;
+                                  $(SdkOutputDirectory)**/System.*.dll;
+                                  $(SdkOutputDirectory)**/Microsoft.*.dll;
+                                  $(SdkOutputDirectory)**/NuGet*.dll;
+                                  $(SdkOutputDirectory)**/datacollector.dll;
+                                  $(SdkOutputDirectory)**/datacollector.exe;
+                                  $(SdkOutputDirectory)**/MSBuild.dll;
+                                  $(SdkOutputDirectory)**/MSBuild.resources.dll;
+                                  $(SdkOutputDirectory)**/PresentationBuildTasks.dll;
+                                  $(SdkOutputDirectory)**/redist.dll;
+                                  $(SdkOutputDirectory)**/rzc.dll;
+                                  $(SdkOutputDirectory)**/testhost.dll;
+                                  $(SdkOutputDirectory)**/testhost.exe;
+                                  $(SdkOutputDirectory)**/testhost.x86.exe;
+                                  $(SdkOutputDirectory)**/vstest.console.dll;
+                                  $(SdkOutputDirectory)**/vstest.console.resources.dll;
+                                  $(SdkOutputDirectory)**/Newtonsoft.Json.dll;
+                                  $(SdkOutputDirectory)**/MessagePack.Annotations.dll;
+                                  $(SdkOutputDirectory)**/MessagePack.dll;
+                                  $(SdkOutputDirectory)**/Nerdbank.Streams.dll;
+                                  $(SdkOutputDirectory)**/StreamJsonRpc.dll" />
    </ItemGroup>

    <Error Condition="'$(AllowEmptySignList)' != 'true' AND '@(LayoutFilesToSign)' == ''"
@ -136,10 +83,10 @@
    <Microsoft.DotNet.SignTool.SignToolTask
      DryRun="$(_DryRun)"
      TestSign="$(_TestSign)"
-      CertificatesSignInfo="$(CertificatesSignInfo)"
+      CertificatesSignInfo="@(CertificatesSignInfo)"
      ItemsToSign="@(LayoutFilesToSign)"
      StrongNameSignInfo="@(StrongNameSignInfo)"
-      FileSignInfo="@(DistinctLayoutFileSignInfo)"
+      FileSignInfo="@(FileSignInfo)"
      FileExtensionSignInfo="@(FileExtensionSignInfo)"
      TempDir="$(ArtifactsTmpDir)"
      LogDir="$(ArtifactsLogDir)"
@ -150,25 +97,20 @@
  </Target>

  <Target Name="SignSdkMsi"
-        Condition="'$(SignCoreSdk)' == 'true'"
+        Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
        DependsOnTargets="SetSignProps">

    <ItemGroup>
      <SdkMsiFilesToSign Include="$(SdkMSIInstallerFile)" />
-
-      <SdkMsiFileSignInfo Include="@(SdkMsiFilesToSign->'%(Filename)%(Extension)')">
-        <CertificateName>$(InternalCertificateId)</CertificateName>
-      </SdkMsiFileSignInfo>
-      <DistinctSdkMsiFileSignInfo Include="@(SdkMsiFileSignInfo->Distinct())" />
    </ItemGroup>

    <Microsoft.DotNet.SignTool.SignToolTask
        DryRun="$(_DryRun)"
        TestSign="$(_TestSign)"
-        CertificatesSignInfo="$(CertificatesSignInfo)"
+        CertificatesSignInfo="@(CertificatesSignInfo)"
        ItemsToSign="@(SdkMsiFilesToSign)"
        StrongNameSignInfo="@(StrongNameSignInfo)"
-        FileSignInfo="@(DistinctSdkMsiFileSignInfo)"
+        FileSignInfo="@(FileSignInfo)"
        FileExtensionSignInfo="@(FileExtensionSignInfo)"
        TempDir="$(ArtifactsTmpDir)"
        LogDir="$(ArtifactsLogDir)"
@ -179,7 +121,7 @@
  </Target>

  <Target Name="SignTemplatesMsis"
-      Condition="'$(SignCoreSdk)' == 'true'"
+      Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
      DependsOnTargets="SetSignProps">

    <ItemGroup>
@ -191,21 +133,14 @@
      <TemplatesMsiFilesToSign Include="$(Templates30MSIInstallerFile)" />
      <TemplatesMsiFilesToSign Include="$(Templates21MSIInstallerFile)" />
    </ItemGroup>
-    
-    <ItemGroup>
-      <TemplatesMsiFileSignInfo Include="@(TemplatesMsiFilesToSign->'%(Filename)%(Extension)')">
-        <CertificateName>$(InternalCertificateId)</CertificateName>
-      </TemplatesMsiFileSignInfo>
-      <DistinctTemplatesMsiFileSignInfo Include="@(TemplatesMsiFileSignInfo->Distinct())" />
-    </ItemGroup>

    <Microsoft.DotNet.SignTool.SignToolTask
        DryRun="$(_DryRun)"
        TestSign="$(_TestSign)"
-        CertificatesSignInfo="$(CertificatesSignInfo)"
+        CertificatesSignInfo="@(CertificatesSignInfo)"
        ItemsToSign="@(TemplatesMsiFilesToSign)"
        StrongNameSignInfo="@(StrongNameSignInfo)"
-        FileSignInfo="@(DistinctTemplatesMsiFileSignInfo)"
+        FileSignInfo="@(FileSignInfo)"
        FileExtensionSignInfo="@(FileExtensionSignInfo)"
        TempDir="$(ArtifactsTmpDir)"
        LogDir="$(ArtifactsLogDir)"
@ -216,7 +151,7 @@
  </Target>

  <Target Name="SignSdkBundle"
-      Condition="'$(SignCoreSdk)' == 'true'"
+      Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
      DependsOnTargets="SetSignProps">

    <!-- Extract engine from bundle -->
@ -225,16 +160,14 @@
    <!-- Sign engine-->
    <ItemGroup>
      <EngineFileToSign Include="$(CombinedFrameworkSdkHostBundleEngineName)" />
-      <EngineFileSignInfo Include="$([System.IO.Path]::GetFileName('$(CombinedFrameworkSdkHostBundleEngineName)'))"
-                          CertificateName="$(InternalCertificateId)"/>
    </ItemGroup>
    <Microsoft.DotNet.SignTool.SignToolTask
        DryRun="$(_DryRun)"
        TestSign="$(_TestSign)"
-        CertificatesSignInfo="$(CertificatesSignInfo)"
+        CertificatesSignInfo="@(CertificatesSignInfo)"
        ItemsToSign="@(EngineFileToSign)"
        StrongNameSignInfo="@(StrongNameSignInfo)"
-        FileSignInfo="@(EngineFileSignInfo)"
+        FileSignInfo="@(FileSignInfo)"
        FileExtensionSignInfo="@(FileExtensionSignInfo)"
        TempDir="$(ArtifactsTmpDir)"
        LogDir="$(ArtifactsLogDir)"
@ -248,17 +181,15 @@
    <!-- Sign bundle -->
    <ItemGroup>
      <BundleFileToSign Include="$(CombinedFrameworkSdkHostMSIInstallerFile)" />
-      <BundleFileSignInfo Include="$([System.IO.Path]::GetFileName('$(CombinedFrameworkSdkHostMSIInstallerFile)'))"
-                          CertificateName="$(InternalCertificateId)"/>
    </ItemGroup>

    <Microsoft.DotNet.SignTool.SignToolTask
        DryRun="$(_DryRun)"
        TestSign="$(_TestSign)"
-        CertificatesSignInfo="$(CertificatesSignInfo)"
+        CertificatesSignInfo="@(CertificatesSignInfo)"
        ItemsToSign="@(BundleFileToSign)"
        StrongNameSignInfo="@(StrongNameSignInfo)"
-        FileSignInfo="@(BundleFileSignInfo)"
+        FileSignInfo="@(FileSignInfo)"
        FileExtensionSignInfo="@(FileExtensionSignInfo)"
        TempDir="$(ArtifactsTmpDir)"
        LogDir="$(ArtifactsLogDir)"
@ -269,25 +200,20 @@
  </Target>

  <Target Name="SignSdkPlaceholderMsi"
-      Condition="'$(SignCoreSdk)' == 'true'"
+      Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
      DependsOnTargets="SetSignProps">

    <ItemGroup>
      <SdkPlaceholderMsiFilesToSign Include="$(SdkPlaceholderMSIInstallerFile)" />
-
-      <SdkPlaceholderMsiFileSignInfo Include="@(SdkPlaceholderMsiFilesToSign->'%(Filename)%(Extension)')">
-        <CertificateName>$(InternalCertificateId)</CertificateName>
-      </SdkPlaceholderMsiFileSignInfo>
-      <DistinctSdkPlaceholderMsiFileSignInfo Include="@(SdkPlaceholderMsiFileSignInfo->Distinct())" />
    </ItemGroup>

    <Microsoft.DotNet.SignTool.SignToolTask
        DryRun="$(_DryRun)"
        TestSign="$(_TestSign)"
-        CertificatesSignInfo="$(CertificatesSignInfo)"
+        CertificatesSignInfo="@(CertificatesSignInfo)"
        ItemsToSign="@(SdkPlaceholderMsiFilesToSign)"
        StrongNameSignInfo="@(StrongNameSignInfo)"
-        FileSignInfo="@(DistinctSdkPlaceholderMsiFileSignInfo)"
+        FileSignInfo="@(FileSignInfo)"
        FileExtensionSignInfo="@(FileExtensionSignInfo)"
        TempDir="$(ArtifactsTmpDir)"
        LogDir="$(ArtifactsLogDir)"